Australia’s privacy landscape shifted in late 2024 and throughout 2025. Higher penalties, mandatory breach notifications that now bite many more enterprises, a brand-new statutory tort that lets individuals sue for serious invasions of privacy, and compulsory ransomware payment reporting for larger turnovers have all combined to raise the stakes. Cyber insurance has responded by tightening underwriting standards and by refining what is and is not covered. For a small or medium business owner the question is no longer whether cyber risk matters but how to knit together legal compliance, good security practice and the right insurance wording. This article explains what changed, why those changes matter to your balance sheet and how to make sure your cyber policy still does its job.
A quick snapshot of the 2024 and 2025 privacy and cyber reforms
Parliament passed the Privacy and Other Legislation Amendment Act 2024 in November 2024, with most provisions live by December that year. The Act amended the long-standing Privacy Act 1988 and gave the Office of the Australian Information Commissioner stronger investigative and penalty powers. Ten June 2025 then marked the commencement of a statutory tort for serious invasions of privacy which opened the door to private lawsuits in addition to OAIC action. At the same time the Cyber Security Act 2024 introduced ransomware payment reporting rules for entities that turn over three million dollars or more, and government flagged that the small business exemption in the Privacy Act will likely disappear completely in a second tranche of reforms expected during 2026 or 2027.
These changes are easiest to see in a before versus after summary.
| Key area | Position before 2025 | Position after 2025 |
|---|---|---|
| Maximum civil penalty under Privacy Act | Just over 2 million dollars for serious repeat offences | The greater of 50 million dollars, three times the benefit obtained, or 30 percent of adjusted annual turnover |
| Small business exemption | Most entities under 3 million dollars turnover outside health sector exempt from key obligations | Exemption narrowed in practice through tort risk, ransomware rules, and OAIC guidance, with full removal on the horizon |
| Private right of action | None for privacy invasions | Statutory tort of serious invasion of privacy from 10 June 2025 |
| Ransomware payment reporting | Voluntary ACSC notification recommended | Compulsory reporting for entities with turnover of three million dollars or more within seven days of payment |
| OAIC investigative tools | Limited information-gathering and penalty notices | Broader search and seizure powers, infringement notices up to 66 thousand dollars, and binding compliance notices |
| Technical security standard | Reasonable steps test under APP 11 without specific reference points | APP 11 still applies but government and OAIC point to Essential Eight maturity levels and ASD ISM as benchmarks |
The table makes clear that liability ceilings have exploded, private actions are now real, and day-to-day compliance requires more structured evidence of security controls.
How the reforms increase financial risk for Australian SMBs
Mandatory breach reporting now captures many companies that once fell comfortably under the three million turnover threshold. Even if an organisation remains below that line the new statutory tort means an affected individual can commence proceedings for misuse of personal information, reckless handling of data or an unjustified intrusion into seclusion. Legal defence costs escalate quickly and unlike an OAIC investigation, litigation risk is unpredictable because emotional distress can form part of damages.
With penalties now pegged to either benefit obtained or a slice of turnover, fines that once felt theoretical have real balance-sheet impact. A nine million turnover technology reseller that commits a serious breach could in theory face a penalty close to three million. That figure arrives before counting legal fees, investigation costs, system restoration, PR consultants or revenue lost because customers walk away.
Ransomware remains the most common cause of serious cyber incidents reported to the Australian Cyber Security Centre. The ACSC Annual Cyber Threat Report 2024-25 notes that nearly two thirds of ransomware victims had fewer than two hundred staff. The new reporting rule forces larger SMBs to notify Home Affairs of any ransom payment within a week, which adds administrative workload and public scrutiny on top of already stressful negotiations with criminals.
All of these elements combine to make a single breach far more expensive in 2025 than in 2023. That is the new cost baseline against which insurance must perform.
Where cyber insurance fits after the 2025 reforms
Cyber insurance is still designed around two broad buckets. First party cover reimburses the insured for its own costs. Third party cover responds to claims, complaints or investigations brought by others. The fundamentals have not changed but the reforms mean each bucket now needs sharper definitions.
Insurers have responded to higher privacy penalties by asking detailed questions about MFA, endpoint detection and response, patching schedules, offline backups and staff awareness. Many carriers ask for proof, such as an Essential Eight assessment or an externally generated security rating. Where controls fall short insurers typically impose ransomware sub-limits or increased deductibles.
It is useful to map the main new risk categories against standard policy components.
| Risk created by reform | Related policy section | Watch point |
|---|---|---|
| OAIC investigation with potential million-dollar penalty | Regulatory and privacy liability section | Some fines may be uninsurable at law so policies often pay defence costs but not the penalty itself |
| Lawsuit under statutory tort | Privacy liability or media liability section | Wording must be broad enough to catch tort claims not just Privacy Act breaches |
| Mandatory customer notification and credit monitoring | Breach response costs in first party cover | Check sub-limits and whether printing and postage are included |
| Ransomware response plus government reporting | Cyber extortion and incident response section | Many policies require immediate insurer consent and involvement of law enforcement which aligns with reporting duty |
| Business interruption during system rebuild | Business interruption extension | Coverage often limited to a set period with waiting hours before it starts |
The presence of a loosely defined tort has also persuaded some insurers to cap defence costs on privacy claims within the aggregate limit, reasoning that a mass class action could exhaust tens of thousands of billable hours. Businesses that hold large databases should pay close attention to those sub-limits.
Policy health check for the 2025 and 2026 renewal seasons
Are regulatory investigations and OAIC proceedings covered
Begin by locating the definition of Claim in your policy schedule. Some wordings capture administrative or regulatory proceedings automatically, while others need an endorsement. Confirm that costs incurred in responding to notices under the Notifiable Data Breaches scheme sit clearly within the policy. Ask whether civil penalties are indemnified where Australian law allows. Even if fines are excluded, defence costs should be covered from day one because OAIC inquiries require prompt legal guidance.
Does the wording address the statutory tort of privacy
Look for language that references any breach or violation of privacy law or a right to privacy recognised at common law or statute. Some older forms refer only to a wrongful disclosure of personal information which may be too narrow. If the wording feels vague request an endorsement that explicitly lists actions under the statutory tort among insured events.
What costs associated with breach notification are included
Notification involves drafting letters, sending emails or letters, outsourcing call centres, and sometimes providing credit monitoring. Policies differ on which of those expenses fit within breach response costs. Ensure that the printing and postage of physical letters is not overlooked if your customer base still relies on paper communication. Clarify whether costs to set up a dedicated website or hotline are reimbursable.
How does the policy treat ransomware extortion
Most insurers adopt a carrot and stick approach. They will fund negotiators and payments when legally permitted but insist that backups are regularly tested and MFA is active. Some now require proof that your business has run a tabletop exercise within the previous year. Policies always exclude payments to sanctioned entities so consult the Australian Sanctions Office before authorising any transfer. Finally check the interaction with government reporting. You will need to inform both the insurer and Home Affairs inside short timeframes and those notifications should not contradict each other.
What security controls must stay in place throughout the policy period
The proposal form may ask about controls but the policy wording usually contains a continuing duty of reasonable care. If you told the insurer that MFA covers all remote access, dropping that control mid-year may jeopardise a claim. Maintain evidence like screenshots, configuration logs and staff-training registers. Align those controls with the ACSC Essential Eight level one at minimum because that framework now sets a de facto standard for reasonable steps under APP 11.
Do other policies overlap or leave gaps
Professional indemnity, management liability and even general property policies occasionally respond to cyber incidents in part. Relying on those policies can lead to double insurance disputes or uncovered exclusions. Conduct a holistic review so that privacy fines, copyright claims, employee record breaches and business interruption all sit somewhere without relying on chance.
Cyber insurance, compliance and cyber security all work together
Buying cyber cover does not satisfy legal obligations under the Privacy Act. OAIC guidance makes it clear that organisations must take reasonable steps to protect personal information irrespective of any insurance arrangement. In practical terms that means implementing technical measures such as multi-factor authentication, EDR across endpoints, regular patching and immutable backups. It also means adopting organisational measures such as a written breach response plan, signed employee confidentiality agreements and regular privacy training.
Insurance then steps in to fund the residual risk that persists even after controls. An incident response retainer can be part of that safety net but insurers will often provide a panel of pre-approved forensic and legal specialists within a covered claim which speeds up the process and avoids haggling over hourly rates when every minute counts.
Data minimisation deserves special mention. Holding less personal data limits exposure under the statutory tort and reduces scope of Mandatory Data Breach assessments. Insurers increasingly favour businesses that cull unneeded records because the severity of any breach scales with the volume and sensitivity of data taken.
Practical next steps for Australian SMBs
Start by mapping the personal information you collect and where it lives, both on premises and in cloud services. Once you understand the data flows, align your security program with the Essential Eight baseline and schedule quarterly patching and backup tests. Review your privacy policy to make sure it reflects actual practice and references the latest OAIC guidance. Then obtain an independent security or privacy assessment so that you can present hard evidence of controls to insurers at renewal. Finally sit down with a specialist broker who understands the Australian reforms and walk through each policy clause using the questions above.
FAQs Cyber insurance and the 2025 privacy changes
Is cyber insurance now mandatory for Australian small businesses
No legislation currently forces an SMB to purchase cyber cover. However contractual obligations with clients or lenders may require it and the financial exposure after 2025 makes the product strongly advisable.
Did the Privacy Act reforms remove the three million dollar exemption completely
Formally the exemption still exists but in practice most SMBs now have notification duties and face tort liability. The government has signalled that a second reform tranche will abolish the exemption altogether.
Will cyber insurance pay Privacy Act fines
Some penalties are uninsurable under Australian law because they are considered punitive. Many policies still reimburse legal defence costs and investigatory expenses. Always confirm with legal counsel.
Does cyber insurance respond to statutory tort privacy lawsuits
Most contemporary privacy liability wordings do respond provided the definition of Wrongful Act or similar term encompasses any breach of privacy right. Older forms may require an endorsement.
If I pay a ransom will the insurer reimburse me and what must I report
Policies vary. Many reimburse lawful payments approved in advance. Entities with turnover above three million must notify the Department of Home Affairs within seven days of payment. Insurers usually require the same supporting evidence and will not reimburse payments to sanctioned groups.
Can stronger cyber security controls reduce my premium
Yes. Insurers reward demonstrable controls such as enforced MFA, regular vulnerability scans and documented backup tests. Evidence can translate to lower premiums, reduced deductibles or higher policy limits.
Does cyber insurance cover breaches involving employee data
Often it does but the Privacy Act has a separate employee records carve-out that complicates matters. Check definitions carefully and seek advice if staff information forms a large proportion of your data set.
What is the difference between cyber insurance and professional indemnity
Professional indemnity protects against negligence in professional services, for example giving incorrect tax advice. Cyber insurance focuses on privacy breaches, system damage and regulatory investigations. Each fills different gaps and together they create a more complete safety net.
Conclusion
The 2025 privacy and cyber reforms have rewritten the risk equation for Australian small and medium enterprises. Higher penalties, private rights of action and mandatory ransomware reporting mean that a single cyber event can threaten solvency. Cyber insurance remains a critical tool but only when coupled with mature security controls and an up-to-date understanding of legal duties. By auditing data, strengthening defences and interrogating policy wording during renewal, SMBs can move forward with confidence that all three pillars of risk management are working in concert.
